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Abstract — We consider the reachability problem for timed au- 
tomata. A standard solution to this problem involves computing 
a search tree whose nodes are abstractions of zones. These 
abstractions preserve underlying simulation relations on the state 
space of the automaton. For both effectiveness and efficiency 
reasons, they are parametrized by the maximal lower and upper 
bounds (LU-bounds) occurring in the guards of the automaton. 

We consider the a^Lu abstraction defined by Behrmann et 
al. Since this abstraction can potentially yield non-convex sets, 
it has not been used in implementations. We prove that a^Lu 
abstraction is the biggest abstraction with respect to LU-bounds 
that is sound and complete for reachability. We also provide 
an efficient technique to use the a^Lu abstraction to solve the 
reachability problem. 

I. Introduction 

Timed automata are finite automata extended with clocks 
whose values can be compared with constants and set to 0. The 
clocks measure delays between different steps of execution of 
the automaton. The reachability problem for timed automata 
asks if there exists a path from its initial state to a given 
target state. This problem cannot be solved by a simple 
state exploration since clocks are real-valued variables. The 
standard solution to this problem involves computing the zone 
graph of the automaton that in principle could be infinite. 
In order to make it finite, zones are approximated using 
an abstraction operator. Till recently it has been generally 
assumed that for reasons of efficiency an abstraction of a zone 
should always be a zone. Here we avoid this assumption. We 
show a rather unexpected fact that q^lu approximation defined 
by Behrmann et al. [3J is the biggest sound and complete 
approximation. We also present a method of constructing 
abstracted zone graph using a^^t, approximation. Even though 
this approximation can yield non-convex sets, we show that 
our method is at least as efficient as any other cuiTently known 
method based on abstractions. 

The reachability problem is a basic problem in verification. 
It is historically the first problem that has been considered for 
timed-automata, and it is still a lively subject of research 13 1, 
ifTTI . mi, Cni- Apart from being interesting by itself, the 
advances on this problem may allow to give new methods for 
verification of more complicated models, like priced timed- 
automata |7|, or probabilistic timed automata 0, (SI, lfT2ll . 

All approaches to solving the reachability problem for timed 
automata should ensure termination. To tackle this, most of 
them use abstractions to group together bisimilar valuations 
of clock variables, that is, valuations not distinguishable by 
the automaton. The first solution has been based on regions: 



equivalence classes of clock valuations fV\. Their definition 
is parameterized by a threshold up to which the clock values 
should be considered. A great improvement in efficiency has 
been obtained by adopting zones instead of regions. These 
are sets of valuations defined by conjunctions of differences 
between pairs of clocks. They can be efficiently implemented 
using difference bound matrices (DBMs) [lO]. A challenge 
with zone based approach is that they are not totally com- 
patible with regions, and moreover a forward exploration 
algorithm can produce infinitely many zones. The union of 
regions intersecting a zone is a natural candidate for a finitary 
abstraction. Indeed this abstraction would make the forward 
exploration algorithm terminate. However such an union of 
regions is not necessarily a zone, so it is not clear how to 
represent it. For this reason a number of abstraction operators 
have been proposed that give an approximation of the union of 
regions intersecting a zone. Bigger approximation makes the 
abstracted zone graph smaller. So potentially it gives a more 
efficient algorithm. 

An important observation made in [3 | is that if reachability 
is concerned then we can consider simulation instead of 
bisimulation. Indeed, it is safe to add configurations that are 
simulated by those that we have already reached. Simulation 
relations in question depend on the given automaton, and it is 
ExPTlME-hard to calculate the biggest one fT3 |. A pragmatic 
approach is to abstract some part of the structure of the 
automaton and define simulation based on this information. 
The most relevant information are the bounds with which 
clocks are compared in guards of the automaton. Since lower 
and upper bounds are considered separately, they are called 
LU-bounds. In (3] the authors define an abstraction based on 
simulation with respect to LU-bounds; it is denoted a,;;^^,. 
Theoretically is very attractive: it has clear semantics 

and, as we show here, it is always a union of regions. The 
problem is that a^i^u abstraction of a zone is seldom a convex 
set, so one cannot represent the result as a zone. In this 
paper we give another very good reason to consider a^^u 
abstraction. We show that it is actually the biggest abstraction 
that is sound and complete with respect to reachability for 
all automata with the same L?7-bounds. In other words it 
means that in order to get bigger (that is better) abstractions 
one would need to look at some other structural properties of 
automata than just LJ7-bounds. 

Our main technical result is an effective algorithm for 
dealing with a^^u abstraction. It allows to manipulate this 
abstraction as efficiently as purely zone based ones. We 




Fig. 1. A comparison of abstraction operators for zones. 

propose a forward exploration algorithm working with zones 
that constructs the a^^u abstraction of the transition graph 
of the automaton. This algorithm uses standard operations on 
zones, plus a new test of inclusion of a zone in the a^i^u 
abstraction of another zone. The test is quadratic in the number 
of clocks and not more complex than that for just testing an 
inclusion between two zones. Since a^Lu abstraction is the 
coarsest sound and complete abstraction, it can potentially give 
smallest abstract systems. 

A. Related work 

Forward analysis is the main approach for the reacha- 
bility testing of real-time systems. The use of zone-based 
abstractions for termination has been introduced in 19J. In 
recent years, coarser abstractions have been introduced to 
improve efficiency of the analysis f3\. An approximation 
method based on LU-bounds, called Extra^jj, is used in the 
current implementation of UPPAAL ||4l. In ifTTl it has been 
shown that it is possible to efficiently use the region closure of 
Extra^jj, denoted Closure^ij. This has been the first efficient 
use of a non-convex approximation. In comparison, 
approximation has a well-motivated semantics, it is also region 
closed, and the resulting inclusion test is even simpler than that 
of Closure^jj . A comparison of these abstractions is depicted 
in Fig. [T] 

Let us mention that abstractions are not needed in back- 
ward exploration of timed systems. Nevertheless, any feasible 
backward analysis approach needs to simplify constraints. For 
example [14J does not use approximations and relies on an 
SMT solver instead. Clearly this approach is very difficult to 
compare with the forward analysis approach we study here. 

Another related approach to verification of timed automata 
is to build a quotient graph of the semantic graph of the 
automaton with respect to some bisimulation relation [8|, 
|IT6|. For reachability properties, this approach is not a priori 
competitive with respect to forward exploration as it requires 
to construct the whole state space of the automaton. It is more 
adapted to checking branching time properties. 

B. Organization of the paper 

In the next section, we present preliminary definitions, 
introduce the notion of sound and complete abstractions and 
explain how these abstractions could be used to solve the 



reachability problem. In Section Hill we introduce the concept 
of LL/-bounds putting limits on the constants that can be used 
in guards of automata. In the same section, we propose an 
abstraction ahsuj and prove that it is the coarsest sound 
and complete abstraction for all automata with given LU- 
bounds. Subsequently, in Section |IV] we show that the a^i^u 
abstraction actually coincides with this biggest abstraction 
absLu- Section [V] then presents the efficient inclusion test for 
a^i^u abstraction which allows for its use in implementations. 

II. Preliminaries 

After recalling some preliminary notions, we introduce a 
concept of abstraction as a means to reduce the reachability 
problem for timed-systems to the one for finite systems. We 
then observe that simulation relation is a convenient way of 
obtaining abstractions with good properties. 

A. Timed automata and the reachability problem 

Let X be a set of clocks, i.e., variables that range over R>o, 
the set of non-negative real numbers. A clock constraint is a 
conjunction of constraints a;#c for x G X, # G {<,<,= 
, >, >} and c G N, e.g. (x < 3 A y > 0). Let denote 
the set of clock constraints over clock variables X. A clock 
valuation over X is a function v : X K>o- We denote 
K>Q the set of clock valuations over X, and the valuation 
that associates to every clock in X. We write v \= (f) when 
V satisfies G ^{X), i.e. when every constraint in cj) holds 
after replacing every x by v{x). For 5 G M>o, let w + (5 be 
the valuation that associates v{x) + (5 to every clock x. For 
R C X, let [R]v be the valuation that sets a; to if x G i?, 
and that sets x to v{x) otherwise. 

A Timed Automaton (TA) is a tuple A = {Q, qo,X, T, Acc) 
where Q is a finite set of states, qq E Q is the initial state, X 
is a finite set of clocks, Acc C Q is a set of accepting states, 
and T C Q x ^{X) x 2^ x Q is a finite set of transitions 
{q, g, R, q') where 5 is a guard, and R is the set of clocks that 
are reset on the transition. 

The semantics of ^ is a transition system of its config- 
urations. A configuration of ^ is a pair (q, u) G Q x R>q 
and (go, 0) is the initial configuration. We have two kinds of 
transitions: 

Delay: (g, v) -^^ {q, v + 5) for some 5 G M>o; 

Action: {q,v) — >" for some transition {q,g,R,q') G T 

such that V ^ g and v' — [R]v. 

In this paper we are interested in the reachability problem 
that asks if there exists a configuration {q, v) with accepting 
state q G Acc that is reachable from (go , 0) by any finite 
sequence of delay and action transitions. 

The class of TA we consider is usually known as diagonal- 
free TA since clock comparisons like a; — y < 1 are disallowed. 
Notice that if we are interested in state reachability, consid- 
ering timed automata without state invariants does not entail 
any loss of generality as the invariants can be added to the 
guards. For state reachability, we can also consider automata 
without transition labels. 
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B. Abstractions 

Since the transition system determined by the automaton is 
infinite, we usually try to find a finite approximation of it by 
grouping valuations together. In consequence we work with 
configurations consisting of a state and a set of valuations. 
The transitions are then defined by: 

{q,W) iq',W') 

where W = {v' : 3v e W. v v'}, and 

iq,W) iq',W') 

where W = {v' -.BveW.BSe M>o v -^^ v'}. 

So =4^" transition is the existential lifting of transition 
to sets, similarly for transition but it moreover permits 
any delay. We will write => without superscript to denote the 
union of the two relations. 

An abstraction operation ||2| is a convenient way of express- 
ing a grouping of valuations. It is a function a : ^(M^g ) 

r{R^^fj) such that W C a{W) and a{a{W)) = a(W). An 
abstraction operator defines an abstract semantics: 

iq,W) ^„ iq\a{W')) 

when a(W^) = W and (g, W) => {q' , W). 

If a has a finite range then this abstraction is finite. Analo- 
gously we define =>J^ and We write =>* for the transitive 
closure of similarly for — 

Of course we want this abstraction to reflect some proper- 
ties of the original system. In order to preserve reachability 
properties we can require the following two properties (where 
denotes the union of and -^^): 

Soundness: if (go, {^o}) =>a (^j ^) "^hen there is u G such 
that (go, Wo) -)-* {q,v). 

Completeness: if (go, t'o) (s, i') then there is W such that 
^;Giyand (go,W}) {q,W). 

It can be easily verified that if an abstraction satisfies 
W C a(W^) then the abstracted system is complete. However 
soundness is more delicate to obtain. 

Naturally, it is important to be able to efficiently compute 
the abstract transition system. A standard way to do this 
is to use zones. A zone is a set of valuations defined by 
a conjunction of two kinds of constraints: comparison of 
difference between two clocks with an integer like x — yi^c, 
or comparison of a single clock with an integer like x^c, 
where G {<,<,=,>,>} and c G N. For instance 
[x — y > 1) A (y < 2) is a zone. Zones can be efficiently 
represented using difference bound matrices (DBMs) ifTOl . 
This suggests that one should consider abstractions that give 
zones. This is an important restriction: zones are convex, and 
abstractions based on regions are usually not convex. 

We propose a way to use non-convex abstractions and 
zone representations at the same time. We will only consider 
sets W of the form a{Z) and represent them simply by Z. 
This way we can represent states of an abstract transition 
system efficiently: we need just to store a zone. In order for 



this to work we need to be able to compute the transition 
relation on this representation. We also need to know when 
two representations stand for the same node in the abstract 
system. This is summarized in the following two requirements: 

Transition compatibility: for every transition {q, a.{Z)) 

{q' ,W') and the matching transition (<?, => {q',Z') we 

have W = a{Z'). 

Efficient inclusion test: for every two zones Z, Z\ the test 
Z' C a{Z) is efficient. 

The first condition is quite easy to satisfy. Every abstraction 
relation coming from time-abstract simulation [15] is transition 
compatible. Assume that we are given an automaton A. 

Definition 1 (Time-abstract simulation) A (state based) 
time-abstract simulation between two states of a transition 
system is a relation {q,v) <t.a. {q',v') such that: 

« if {q,v) -^^ {q,v + 6) — {qi,vi), then there exists a 
S' G R>o such that {q',v') {q',v' + S') {q'i,v[) 
satisfying {qi,vi) ^t.a. {q'i,v'i)- 

For two valuations v,v', we say that v <t.a. v' if for every 
state q of the automaton, we have {q,v) <t.a. {q',v'). An 
abstraction a based on a simulation <t.a. can be defined as 
follows: 

Definition 2 (Abstraction based on simulation) Given a 

zone Z, we define a{Z) — {v : 3v' E Z. v <t.a. v'}. 

For a given automaton this abstraction defines an abstract 
transition system. Our goal is to efficiently construct this 
system, or a relevant part of it if we are checking a reachability 
property. As explained in Section lUl for nodes of this system 
we can use pairs of the form (q, Z), i.e., pairs consisting of 
a state and a zone. Such a pair will represent a configuration 
[q, a.{Z)). Transition relation will be computed on zones. This 
is possible since the abstraction is defined using a simulation 
so it is automatically transition compatible. 

Lemma 3 Let a be an abstraction based on a simulation 
relation. For every transition {q,a{Z)) {q' ,W') and the 
matching transition {q,Z) =^ [q' ,Z'), we have W' ~ a(Z'). 

Proof: Let a be based on a simulation relation <t.a., that 
is, for a set W, we have a{W) = {v : 3v' eW.v <t.a. v'}. 
Without loss of generality, assume that => denotes a time- 
transition followed by an action: — S''*— S'". 

Let V G W. Then, by definition of {q,a{Z)) {q' ,W'), 
there exists vi G a(Z) and a (5i G K>o such that 
{q,vi) -j.'^i->'^ {q' ^v[) and v <t.a. v[. Now, since vi G a{Z), 
we can find V2 E Z satisfying vi <t.a. V2- Therefore by 
definition of simulation relation, there exists a 62 & K>o 
which enables the transition: (q, W2) {q',V2) and 

yields v[ <t.a. ^2- As we have seen before we have v <t.a. v'l 
and so we can infer that v :<t.a. ^'2- completeness of =J>, 
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we will have V2 G Z' and hence v G a{Z'). This shows that 
W C o(Z'). 

Let V G a{Z'). Then, there exists vi £ Z and a (5i G M>o 
such that vi — s."^!— and u <t.a. v'^. By the property of 
an abstraction operator, we will have vi G <x{Z) too. Now, 
directly by the definition of (q, a(Z)) (g', W^'), we get 
that V eW and this shows a{Z') C 1:4^'. ■ 

The above lemma shows that abstractions based on time- 
abstract simulations are transition compatible. This paper is 
essentially about how to satisfy the second condition (efficient 
inclusion test) and get as good abstraction as possible at the 
same time. 

in. The biggest LU abstraction 

We introduce the concept of LU bounds: maximal constants 
used in lower and upper bounds. These can be used to define 
simulations and abstractions independently of automata. The 
goal of this section is to come up with the coarsest possible 
abstraction if the only a priori knowledge we have about an 
automaton is LU-information. To this regard, we propose an 
abstraction operation ahsm and prove that it is the biggest 
such (Theorem [Toll. 

One way to obtain abstractions is to group together valua- 
tions that are not distinguishable by an automaton, i.e. consider 
a bisimulation relation. If we are after reachability proper- 
ties then one can even consider (time abstract) simulation 
relation |15|. For a given automaton it can be computed if 
two configurations are in a simulation relation. It should be 
noted though that computing the coarsest simulation relation 
is ExPTlME-hard [131 . Since the reachability problem can be 
solved in PSPACE, this suggests that it may not be reasonable 
to try to solve it using the abstraction based on the coarsest 
simulation. 

We can get simulation relations that are computationally 
easier if we consider only a part of the structure of the 
automaton. The simplest is to take a simulation based on 
the maximal constant that appears in guards. More refined 
is to take the maximum separately over constants from lower 
bound constraints, that is in guards of the form x > c or 
X > c, and those from upper bound constraints, that is in 
guards a; < c or a; < c. If one moreover does this for every 
clock X separately, one gets for each clock two integers Lx and 
Ux- The abstraction that is currently most used is a refinement 
of this method by calculating Lx and Ux for every state of the 
automaton separately [2|. For simplicity of notation we will 
not consider this optimization but it can be incorporated with 
no real difficulty in everything that follows. We summarize 
this presentation in the following definition. 

Definition 4 (LU-bounds) The L bound for an automaton A 
is the function assigning to every clock a maximal constant 
that appears in a lower bound guard for x in A. Similarly U 
but for upper bound guards. An LU-guard is a guard where 
lower bound guards use only constants bounded by L and 
upper bound guards use only constants bounded by U. An 
LU-automaton is an automaton using only LU-guards. 



Using LU bounds we define a simulation relation on valua- 
tions without referring to any particular automaton; or to put it 
differently, by considering all LU-automata at the same time. 

Definition 5 (LU-simulation) Let L, U be two functions 
giving an integer bound for every clock. The LU-simulation 
relation between valuations is the biggest relation ^lu such 
that if V ^LU then for every LU-guard g, and set of clocks 
i? C X we have 

• if u ^^—X vi for some vi then v' v'^ for v'l such that 

where v ^-X vi means that for some 5 G ]R>o we have v + 
g and vi — [R]{v + S). 

One can check that ^lu is the biggest relation that is a time- 
abstract simulation for all automata with given LU bounds. 

Simulation relation permits to define an abstraction operator 
Basically, to the abstraction of Z we can add all valuations that 
can be simulated by a valuation in Z. This way we guarantee 
soundness of the abstraction as the added valuations cannot 
do more than the valuations akeady present in Z. 

Definition 6 (Abstraction based on LU-simulation) For a 

zone Z we define: absLij{Z) — {v : 3v' <E Z. v ^lu v'}. 

The definition of LU-simulation is sometimes difficult to 
work with since it talks about infinite sequences of actions. 
In the next lemma we present a useful characterization im- 
plying that actually we need to consider only very particular 
sequences of transitions that are of length bounded by the 
number of clocks (Corollary |9]l. For this discussion let us 
fix some L and U functions. We start with a preparatory 
definition. 

Definition 7 For a valuation v we define its LU-region, 
denoted rLij{v), to be the set of valuations v' such that: 

> v' satisfies the same L[/-guards as v. 

m For every pair of clocks x,y with [w(x)J = [?;'(x)J, 
[v{y)\ = [v'{y)\, v{x) < Ux and v{y) < Ly we have: 

- if {v{x)} < {v{y)} then {v'{x)} < {v'{y)}. 

- if {vix)} = My)} then {v'ix)} < {v'iy)}. 

The first condition roughly says that the integer parts of the 
two valuations are the same. Observe that we cannot require 
that they are exactly the same for values between L and U 
bounds. The second part says that the order of fractional 
parts should be the same, but once again we restrict only to 
inequalities that we can express within our LU-hounds. Notice 
that if Lx = Ux — M, for some M and all clocks x, then we 
get just the usual definition of regions with respect to M. 

Lemma 8 For every two valuations v and v': 

V v' iff there is 5' G M>o with v' + 5' <E rmiv)- 

Proof: First let us take v and define a sequence of abstract 
transitions that reflect the definition of rLu{v). We define 
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some guards. Let gint be the conjunction of all LU guards that 
V satisfies. For every pair of clocks x, y such that v{x) < Ux, 
v{y) < Ly we consider guards: 

• if {v(x)} < {v{y)} then we take a guard g^y = {x < 
[v{x)\ + 1) A (y > [viy)\ + 1). 

• if {v{x)} ~ {v{y)} then we take a guard g^y = {x < 
[v{x)\ +l)A{y> [v{y)\ + 1). 

Finally for every y with v{y) < Ly we put gy — /\{gxy ■ 
v{x) < Ux}- Note that the guards that are defined are 
consistent with the LU bounds. 

Consider all the clocks y with v{y) < Ly and suppose that 
yi, . . . ,yk is the ordering of these clocks with respect to the 
value of their fractional parts: < • • • < {v{yk)}. Let 

seq{v) be the sequence of transitions . . . since 

the resets are empty we have not represented them in the labels 
of the sequence. 

The sequence seq{v) can be performed from v: 

V > V —i' V + dk > V + Ok —> V + dk-1 > ■ ■ ■ 

. . . V + di > V + oi 

when choosing Si = {l-{v{yi)}) or (5,, = (l-{w(yi)})+e for 
some sufficiently small e > 0; depending on whether we test 
for non-strict or strict inequality in gy.. Delay 6i makes the 
value of yi integer or just above integer It is also easy to check 
that if it is possible to do this sequence of transitions from 
some valuation v' then there is 6' G M>o such that v' + 5' E 
rLu{v). This shows left to right implication. 

For the right to left implication we show that the relation 
S = {{v,v') : v' G rLu{v)} is an LU-simulation relation. For 
this we take any {v, v') G S, any LU guard g, and any reset 
R such that v vi. We show that v' -^M- v[ for some v[ 
with {vi,v[) G S. The argument is very similar to the one for 
standard regions. ■ 

The sequence seq{v) introduced in the above proof will be 
quite useful. In particular the proof shows the following. 

Corollary 9 For two valuations v, v': 

V Qlu v' iff v' can execute the sequence seq{v). 

We are now ready to prove the first main result of this 
section showing that absLu{Z) is the biggest sound and 
complete simulation that uses solely LU information 

Theorem 10 The absi u abstraction is the biggest abstraction 
that is sound and complete for all LU-automata. 

Proof: Suppose that we have some other abstraction a' 
that is not included in absiu on at least one Lf7-automaton. 
This means that there is some LU automaton Ai and its 
reachable configuration {qi,Z) such that a'{Z) \ absLu{Z) 
is not empty. We suppose that a' is complete and show that it 
is not sound. 

Take v G a'{Z) \ absLu{Z). Consider the test sequence 
seq{v) as in Corollary |9] From this corollary we know that 



Automaton Ai 




Fig. 2. Adding tlie sequence seq{v) to Ai. 

it is possible to execute this sequence from v but it is not 
possible to do it from any valuation in Z since otherwise we 
would get V G absLu{Z). 

As illustrated in Fig |2] we add to Ai a new sequence of 
transitions constructed from the sequence seq{v). We start this 
sequence from qi, and let <?/ be the final state of this new 
sequence. The modified automaton Ai started in the initial 
configuration arrives with {qi^Z) in qi and then it can try 
to execute the sequence we have added. From what we have 
observed above, it will not manage to reach qf. On the other 
hand from it will manage to complete the sequence. 

But then by completeness of the abstraction {qi, a'{Z)) — > 
{qf, W) for a nonempty W. So a' is not a sound abstraction. 

■ 

IV. The a^Lu abstraction 

Since absm is the biggest abstraction, we would like to use 
it in a reachability algorithm. The definition of absnj, or even 
the characterization referring to r^jj, are still too complicated 
to work with. The a^^u abstraction proposed by Behrmann et 
al. in |3| has much simpler definition. It turns out that in the 
context of reachability analysis the two abstractions coincide 
(Theorem [TSll. 

We begin by recalling the definition of an LU-preorder 
defined in lO. We use a different but equivalent formulation. 

Definition 11 (LU-preorder 0) Let L, [/ : X ^ N be two 

bound functions. For a pair of valuations we set v ^^^u v' if 
for every clock x: 

m if v'{x) < v{x) then v'{x) > Lx, and 

« if v'{x) > v{x) then v{x) > Ux- 

Definition 12 (LU-abstraction |31) For L, U as above. For 
a set of valuations W we define: 

a4r.uiW) = {v : 3v' e W. v 4lu v'}. 

A. Abstractions absiu ond coincide 

Our goal is to show that when we consider zones closed 
under time-successors, a^^u and absiu coincide. To prove 
this, we would first show that there is a very close connection 
between valuations in rLu{v) and valuations that simulate v 
with respect to The following lemma says that if v' G 

rLu{v) then by slightly adjusting the fractional parts of v' we 
can get a valuation v'^ such that v v'^- We start with a 
preliminary definition. 
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Definition 13 A valuation vi is said to be in the neighbour- 
hood of V, written vi G nbd(i;) if for all clocks x, y: 

• = lvi{x)\, 

. {v{x)} = iff {vi{x)} = 0, 

• {v{x)} < {v{y)} implies {vi{x)} < {wi(y)} where < is 
either < or 

Notice that the neighbourhood of v is the same as the region 
of V with respect to the classical region definition ||T| with 
maximal bound being oo. 

Lemma 14 (Adjustment) Let w be a valuation and let v' e 

rLij{v). Then, there exists a v[ G nbd(v') such that v =4lu v'l- 

Proof: Let v' G rLjj{v). The goal is to construct a 
valuation v'-^ G nbd(u') that satisfies v ^j.^ v'^. To be in 
the neighbourhood, the valuation v'^ should have the same 
integral parts as that of v' and should agree on the ordering 
of fractional parts. So for all x, we put [w5^(a;)J = [w'(x)J. 
It remains to choose the fractional parts for v'^. But before, 
we will first see that there are clocks for which irrespective 
of what the fractional part is, the two conditions in Definition 
[TT] would be true. 

Consider a clock x that has [w'(a;)j < [w(a;)J. Since v' 
satisfies all LU-guards as v, we should have v'{x) > L^- 
The first condition of =4lu for x becomes true and the second 
condition is vacuously true. Similarly, when [w'(a;)J > [u(a;)J, 
we should have v{x) > Ux and the second condition of 
=^iLr becomes true and the first condition is vacuously true. 
Therefore, clocks x that do not have the same integral part 
in V and v' satisfy the ^j:^^ condition directly thanks to the 
different integral parts. Whatever the fractional parts of v[ are, 
the =4lu condition for these clocks would still be true. 

Let us therefore now consider only the clocks that have the 
same integral parts: [w'(a;)J = [u(x)J . If this integer is strictly 
greater than both Lx and Ux, the two conditions of would 
clearly be satisfied, again irrespective of the fractional parts. 
So we consider only the clocks x that have the same integral 
part in both v and v' and additionally either [w(x)J < Ux or 
[w(x)J < Lx. 

We prune further from among these clocks. Suppose there is 
such a clock that has {v'{x)} — 0. To be in the neighbourhood, 
we need to set {t;']^(a;)} — 0. If {v{x)} is too, we are done 
as the =<;i[j condition becomes vacuously true. Otherwise, we 
would have v'{x) — v[{x) < v{x). But recall that v' G rLjj{v) 
and so it satisfies the same LU-guards as v does. This entails 
that v'i(x) > Lx and we get the first condition of =4lu to be 
true. Once again, the other condition is trivial. So we eliminate 
clocks that have zero fractional parts inv'. A similar argument 
can be used to eliminate clocks that have zero fractional parts 
in V. 

So finally, we end up with the set of clocks x that have: 

. K(x)J = [v{x)\, 

. {v'{x)} > and {v{x)} > 0, 

. v{x) < max{Ux, Lx). 

Call this set Xj. The task is to select non-zero fractional 
values {v[{x)} for all clocks in Xf so that they match with 



the order in v'. This is the main challenge and this is where 
we would be using the second property in the definition of 

v' G rLij{v), which we restate here: 

Vx,y G Xf such that v{x) < Ux and v{y) < Ly (1) 
{v{x)} < {v{y)} ^ {v\x)} < {v'{y)} 
Mx)} = {v{y)} ^ W{x)} < {v'{y)} 

Let < A'l < A2 < • • • < A'j < 1 be the fractional values 
taken by clocks of Xf in v', that is, for every clock x G Xf, 
the fractional value {v'{x)} — for some i G {!,..., n}. 
Let Xi be the set of clocks x ^ Xf that have the fractional 
value as A^: 

x, = {xeXf\ {v'ix)} = Aa 

for i G {!,..., n}. 

In order to match with the ordering of v', one can see that 
for all clocks Xi in some Xi, the value of {v'i{xi)} should be 
the same, and if Xj G Xj with i ^ j, then we need to choose 
{v[{xi)} and {v[{xj)} depending on the order between A^ 
and A^ . 

Therefore, we need to pick n values < cti < 1T2 < 
• • • < cr„ < 1 and assign for all Xi G Xi, the fractional part 
{v[{xi)} = (7;. We show that it can be done by an induction 
involving n steps. 

After the k*^ step of the induction we assume the following 
hypothesis: 

> we have picked values < an-k+i < o'n-k+2 < ■ ■ ■ < 
0-71 < 1, 

. for all clocks x G Xn-k+i U Xn-k+2 • ■ • U X„, the ^^u 
condition is satisfied, 

> for all clocks y G Xi U X2 • ■ • U Xn-k, we have 

v{y) <Ly^ {v{y)} < (Jn-k+i (2) 

Let us now perform the fc + 1*'' step and show that the 
hypothesis is true for k + 1. The task is to pick cr,i-fc. We first 
define two values < I < 1 and < m < 1 as follows: 

I = max{ {^(z)} I z G Xn-k and v{z) < L^} 
u = min { { {v{z)} \ z G Xn-k and v{z) < C/^ } U an-k+i } 

We claim that I < u. Firstly, / < a„-k+i from the third part of 
the induction hypothesis. So if u is an^k+i we are done. If not, 
suppose / > u, this means that there are clocks x,y £ x"^^^ 
with v{x) < Ux and v{y) < Ly such that {v{x)} < {v{y)}. 
From Equation [T] this would imply that {v'{x)} < {v'{y)}. 
But this leads to a contraction since we know they both equal 

K-k in 

This leaves us with two cases, either I — u 01 I < u. 
When I = u, we pick an-k — I = u. Firstly, from the third 
part of the hypothesis, we should have I < an-k+i and so 
cr„_fc < (Jn-k+1. Secondly for all z G X^-k, if v[{z) < v{z), 
then z should not contribute to / and so v{z) > L^, which is 
equivalent to saying, v'^iz) > L^. Similarly, if v\(z) > v{z), 
then z should not contribute to u and so v{z) > Uz, thus 
satisfying the condition for z. Finally, we should show 
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(gi,Zl) (?2,^2) (g3,^3) 
t t t 

(gi,zt) (92,^) (g3,^) 
Fig. 3. A reachability tree in a zone graph alternating r and a edges. 

the third hypothesis. Consider a clock y e Xi U ■ • • UX„_/i;_i 
with < Ly. If {«(?/)} > Cn-fc, it would mean that 

{yhiVi — ^ from Equation [T] gives a contradiction. So the 
three requirements of the induction assumption are satisfied 
after this step in this case. 

Now suppose I < u. Consider a clock y £ Xi U ■ • • U 
Xn-k-i such that v{y) < Ly. From Equation [H we should 
have {v{y)} < u. Take the maximum of {v{y)} over all such 
clocks: 

A = max{{i;(?;)} \ y e XiU ■ ■ - U X^-k-i and v{y) < Ly} 

Choose (Tn-k in the interval (A, u). We can see that all the 
three assumptions of the induction hold after this step. 

■ 

We are now ready to prove the second main result of 
this section._We write ^ for the closure of Z under time- 
successors: Z — {v + 5 : V £ Z,6 £ M>o}- We say that a 
zone Z is time-elapsed if Z = . 

Theorem 15 If Z is time-elapsed then 

absLu{Z) = a^LuiZ) 

Proof: Suppose v G a^i^uiZ). There exists av' £ Z such 
that V v'. It can be easily verified that =4lu is a LU- 
simulation relation. Since ^lu is the biggest LU-simulation, 
we get that v ^lu v'. Hence v £ ahsiu{Z)- 

Suppose V £ ahsLij{Z). There exists v' £ Z such that 
V Qlu v' ■ From Lemma [8] this implies there exists a 6' such 
that v' +5' £ rLu{v). As Z is time-elapsed, we get v' -\-5' £ Z. 
Moreover, from Lemma [14] we know that there is a valuation 
v'l £ nbd(w' + 5') such that v =4lu v[. Every valuation in the 
neighbourhood of v' + 6' satisfies the same constraints of the 
form y — X < c with respect to all clocks x, y and hence v[ 
belongs to Z too. Therefore, we have a valuation v[ £ Z such 
that V =4lu v[ and hence v £ a^Lu{Z). ■ 

B. Using a^Lu to solve the reachability problem 

A forward exploration algorithm for solving the reachability 
problem constructs the reachability tree starting from the initial 
node ((7o,^o) (cf- Fig. O. Observe that the algorithm should 
not take two consecutive action transitions. Indeed, instead of 



doing (qi, Zi) {q2, Z2) {qs, Z3), it is preferable to do 
(^i,Zi) (92,^2) {q2,zl) (53,^3) since Z2 C 
Z2 and =4> is monotone with respect to zone inclusion. For 
this reason the algorithm can start in time-elapsed initial node 
{qo,Zo), and for every node (q, Z) consider its successors 
{q, Z) =>"=>'^ {q' , Z') disregarding the intermediate node. So 
all nodes visited by the algorithm have time-elapsed zones. 

Before continuing exploration from a node {q, Z), the algo- 
rithm first checks if q is accepting. If not, the algorithm checks 
if for some visited node {q, Z'), we have Z C a^i^u 

{Z'). If 

this is the case, {q, Z) need not be explored. Otherwise, the 
successors of {q, Z) are computed as stated above. This way 
we ensure termination of the algorithm since a^^u is a fintary 
abstraction |3| (see also Proposition [TtTi. 

Since the reachability algorithm refers to only time-elapsed 
zones. Theorems [TO] and [15] show that a^i^u is the biggest 
sound and complete abstraction provided the only thing we 
know about the structure of the automaton are its L and U 
bounds. Recall that bigger abstractions make abstract graph 
smaller, so the exploration algorithm can finish faster. 

The refined forward exploration algorithms calculate LU 
information for each state of the automaton separately [21, 
or even on-the-fly during exploration 111 II . The maximality 
argument in favour of is of course true also in this case. 

The last missing piece is an efficient inclusion test Z C 
a^Lu{Z'). This is the main technical contribution of this paper 

V. An algorithm for Z c a^r.u{Z') 

In this section, we present an efficient algorithm for the 
inclusion Z C a^^uiZ') (Theorem [34li. Since a lot of tests of 
this kind need to be performed during exploration of the zone 
graph, it is essential to have a low complexity for this inclusion 
procedure. We are aiming at quadratic complexity as this is the 
complexity incurred in the existing algorithms for inclusions 
of the form Z C Z' 01 Z C Closure{Extral^{Z')) [llj. It 
is well known that all the other operations needed for forward 
exploration, can be done in at most quadratic time 118|. 

We solve the inclusion problem in two steps. We first 
concentrate on the question: given a region R and a zone Z, 
when R C a^^uiZ) holds. We show the crucial point that this 
can be decided by verifying if the projection on every pair of 
variables satisfies this inclusion. Since a^^uiZ) is not convex 
we need to find a way to work with Z instead. It turns out 
that one can define aZ},^^{R) in such a way that R C a^[^u{Z) 
is equivalent to aZ^^jj[R) Z ^ %. We show moreover that 
aZ}j^jj{R) is a zone. This gets us already half way to the result, 
the rest being examination of the structure of the intersection. 
Once the inclusion question is solved with respect to regions, 
we extend the solution to zones thanks to a method allowing 
us to quickly tell which regions intersect a given zone. 

For the rest of the section, we assume a given automaton A 
with LU bounds. Before we begin we will need to recall some 
standard notions. Let us consider a bound function associating 
to each clock a; of ^ a bound a^; G N (that is the maximum 
of L and U bounds). A region HI with respect to a is the set 
of valuations specified as follows: 
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Fig. 4. Distance graph for the zone (a- — 1/ > 1 A j/ < 2 A a; > 4). 

1) for each clock x ^ X, one constraint from the set: 

{x ^ c I c = 0, . . . , ax} U{c— l<x<c I c = 
1, . . .,a.x} U {a; > a^} 

2) for each pair of clocks x, y having interval constraints: 
c — 1 < X < c and d — 1 < y < d, it is specified if {x} 
is less than, equal to or greater than {y}. 

One can check that the set of regions finitely partitions ]R.>o. 

A notion of a zone has already been recalled on page^S] 
Every region is a zone but not vice-versa. The standard 
way to represent zones is using difference bound matrices 
(DBMs) |10|. We will consider an equivalent representation 
that uses graphs instead of matrices. 

It will be very convenient to represent zones by distance 
graphs. Such a graph has clocks as vertices, with an additional 
special clock xq representing the constant 0. For readability, 
we will often write instead of xq. Between every two vertices 
there is an edge with a weight of the form (<, c) where c e Z 
and < is either < or <; or (<,c) equals (<,oo). An edge 
X y represents a constraint y — x < c: or in words, the 
distance from x to y is bounded by c. An example of a distance 
graph is depicted in Fig. |4] 

Let |G] be the set of valuations of clock variables satisfying 
all the constraints given by the edges of G with the restriction 
that the value of xq is 0. We denote a distance graph G by 
the set of its weights: (<ij,Cij)i,j^x- 

An arithmetic over the weights (<,c) can be defined as 
follows [5J. 

Equality (<i,Ci) — (<2,C2) if Ci = C2 and <i = <2- 
Addition (<i,ci) + (<2,C2) = (<,ci + C2) where 
< =< iff either <i or <2 is <. 
Minus -(<,c) = (<,-c). 

Order (<i, ci) < (<2, C2) if either ci < C2 or (ci = C2 

and <i =< and <2 =<). 
This arithmetic lets us talk about the weight of a path as a 
weight of the sum of its edges. A cycle in a distance graph G 
is said to be negative if the sum of the weights of its edges is 
at most (<;0); otherwise the cycle is positive. The following 
useful lemma is folklore. 

Lemma 16 A distance graph G has only positive cycles iff 
[Gl ^ 0. 

A distance graph is in canonical form if the weight of the 
edge from a; to y is the lower bound of the weights of paths 
from X to y. For instance, the distance graph shown in FigureS] 
is not in canonical form as the weight of the edge a; — > j/ is 
(<,—!) whereas there is a path x ^ y whose weight 



is (<, —2). To convert it to canonical form, it is sufficient to 
change the weight of the edge a; — > y to (<, — 2). 

A distance graph of a region R, denoted Gr, is the 
canonical graph representing aU the constraints defining R. 
Similarly Gz for a zone Z. For two distance graphs Gi, 
G2 which are not necessarily in canonical form, we denote 
by min(Gi,G2) the distance graph where each edge has the 
weight equal to the minimum of the corresponding weights in 
Gl and G2. Even though this graph may be not in canonical 
form, it should be clear that it represents intersection of the 
two arguments, that is, |min(Gi,G2)] = |Gi] n IG2I; in 
other words, the valuations satisfying the constraints given by 
min(Gi,G2) are exactly those satisfying all the constraints 
from Gl as well as G2. 

We are now in a position to consider the inclusion R C 
0-^Lu{Z). The first result says that for every zone Z, the set 
a^i^uiZ) is a union of regions. 

Proposition 17 Let Z he a zone: every region that has a 
nonempty intersection with a^Lu{Z) is included in a^Lu{Z). 

Before proving the proposition, we begin with a lemma that 
relates the simulation v =4lu v' and the containment v' S 
TLuiv) defined in page|2l 

Lemma 18 Let v,v' be valuations such that v =iLu v'. Then, 

v' e rLu{v). 

Proof: It is not difficult to see from the definition of 
that both V and v' satisfy the same LU-guards. It remains to 
show the second property for v' to be in r^uiv)- 

Let x,y be clocks such that [w(a:)J = L"'(^)J '^{^) ^ 
U'x, v[y) < Ly. Suppose {v{x)} < {v{y)}, for < being either 
< or =. As V v', if v'{x) > v{x), we need v(x) > Ux 
which is not true. Hence we can conclude that v'{x) < v{x). 
Similarly, for y, one can conclude that v'{y) > v{y). As the 
integer parts are the same in v and v', we get {v'{x)} < 
{v'{y)} or {v'{x)} < {v'{y)} depending on whether < is < 
or =. ■ 

Proof of Proposition U7\ Let 1; and w be valuations be- 
longing to the same region. Assume that (Z). So 
there exists a valuation v' ^ Z such that v v' ■ From 
Lemma [Tsl we get v' G rLu{v)- Since w belongs to the same 
region as v, one also has v' £ rLu{w). From the adjustment 
lemma, there exists w' G nbd(i;') such that w =4lu w' . But 
values in the same neighbourhood satisfy the same difference 
constraints and should hence belong to the same zones. This 
gives that w' £ Z and hence w G a^Lu{Z). ■ 

A. When is R C a^Lu{Z)? 

We will first transform the question about the inclusion R C 
<^4lu{Z) into one about an intersection. We begin by defining 
an operator aZ^^^j. 
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Definition 19 (a^]:^ abstraction) Let W he a set of valu- 
ations. Then, aZ^j^^^iW) is the set of valuations defined as 
follows: 

a-lJW) ^{v' \3v eW with v 4lu v'}. 

Next lemma says that deciding if i? C a^^uiZ) can be 
reduced to checking if aZ_\^,{R) intersects with Z. 

Lemma 20 Given a region R and a zone Z, we have 

R^a^r.u{Z) iff a-i„(i?)nZ^0 

Proof: Suppose R C a^i^uiZ) and let v ^ R. As v £ 
(i^Lu{Z) too, there exists a valuation u' G Z such that w =^irr 
w'. Now by Definition [19] we get v' G al^]:j^(i?) showing that 
v' belongs to both Z and a^^„(i?). Hence a^^„(i?) fl Z ^ 0. 

Suppose a^^^(i?) n Z / and let v' G a^[„(i?) fl Z. 
This shows that u' G Z and v =4lu v' for some valuation 
w G i?. Now from the definition of ^^u, we get v G a^i,[,(^)- 
Therefore, we have a valuation w such that v G R and w G 
a^j:^u{Z)- From Lemma [TtI this means R C a-c;i[^r(Z). ■ 

We will now focus on the intersection question: when is 
aZ}j^^{R) n Z empty. Given the canonical distance graphs 
Gr and Gz for R and Z respectively, the idea is to rep- 
resent aZ^]^^{R) as a distance graph GJj and check when 
min(GJj, G^-) has negative cycles. We first partition the set 
of clocks X into four sets based on the region R and then 
define the distance graph G|j for aZ^]^^{R) based on these 
sets. 

Definition 21 (Partitioning clocks based on R) Let i? be a 

region and let Gr = {'^ijiCij)i,jex be its distance graph in 
canonical form. Then, we partition the set of clocks X into 
four sets: Br, CrMr and Mr as follows: 

Br = {x G X I cox < niin(L^, Ux)} U xq 
Cr = {x £ X \ L,j, < cq^ < U^} 

Ur = {X G X I < CO:r < ix} 

X_R = {x G X I max(La;, Ux) < Cq^} 

Definition 22 (Distance graph for aZ}^jj{R)) Given a re- 
gion R and its associated distance graph in canonical form 
Gr — {<ij,Cij)ij^x, the distance graph GJj is given by 
i<iv4j)^.3ex where: 

!(<,oo) if jeMRUUR 

(<,cx)) if i £ MrUCr and j j^O 

{<,-Li) if i G TUflU^i? and j = 

{<ij,Cij) otherwise 

The following lemma confirms that the distance graph 
defined above indeed represents aZ^\^{R). 

Lemma 23 Let Gr be the canonical distance graph of a 
region R. Then {GJ,} = a-L(i?). 



We begin with the following lemma that shows one side of 
the implication. 

Lemma 24 Let v' be a valuation in al.^^(i?). Then, v' G 

Proof: Let Gr be given by (<ij, Cij)i,j^x and let G|j = 
{<ij,Cij)ij^x be the graph obtained from Definition l22l 

We will show that valuation v' has to satisfy the constraints 
given by G^j. That is, we will now show that for every i,j G 
X, we get v'j — v'^ c-^ . From the definition of G}/ finite 

< — Lj 

weights occur only in edges of the form i ^ j and j > 

with i G Br U and j G Br U Cr. In the former case, the 
finite values are in fact {<ij,Cij). It is enough to consider 
these edges. 

Now, as v' G aZ^\^{R), there exists a valuation v £ R such 
that V =<.Lu v' . The valuation v satisfies the constraints of Gr, 
that is Vj — Vi <ij dj. Consider two variables, i G Br, U Ur 
and j G Br U Cr. Since v =4lu v' , we will have v[ > Vi and 
Vj < Vj. This clearly gives v'^ — Vj <ij Cij too. Also since 
j G Cr U Mr, we will have Lj < Vj < Vj which shows that 

the constraint j ^ is satisfied. ■ 

The rest of the section is devoted to prove that if v' G GJj 
then v' G aZ(\^j{R). Let v be an arbitrary valuation such that 
V £ R. We will first show that v' £ tluW). will then 
give a reverse-adjustment lemma below which will entail there 
exists a valuation vi £ nbd(ti) such that vi =4lu v'. Since 
vi £ nbd(i;), it would also belong to R. 

Lemma 25 Let i? be a region and let v' £ G*^. Then, for 
every valuation v £ R, v' £ rLu{v)- 

Proof: Let t; be a valuation in R. From the definition 
of G|j, it can be easily seen that both v and v' satisfy the 
same LU-guards. It is the second property about the fractional 
parts for clocks with the same integer parts that needs to be 
checked. 

Let x,y be clocks such that [w'(a;)J ~ lv{x)\, [v'{y)\ — 
[v{y)\ and v{x) < Ux and v{y) < Ly. By the partition of 
clocks this means that x ^ Ur and y ^ Cr. From Definition 
I22I the edge y ^ x carries the same weight as that of Gr in 

G* 
R- 

Let [w(a;)J — c^, [v{y)\ — Cy and let y ^^—^ x be the edge 
in Gr. This entails that all valuations in R satisfy x ~ y < d. 
Hence their fractional parts satisfy: 

{x} - {y} <d- {cx - Cy) 

Suppose {a;} < {y} for all valuations and since Gr is 
canonical, we can infer d — [c^ — Cy) < and if it is then 
< is <. 

Now consider the graph G^. Since the edge y ^-^ x 
remains in Gt,, and since v' £ G%,, the valuation v' should 
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satisfy v'^ — v'y < d and as [v'y\ = Cy and [v'^\ — c^, we get: 
Wx} -Wy}<d - (L<J - KJ) 

=^ {<} - Wy} < d - {C, ~ Cy) 

We saw before that either d — {cx ~ Cy) < or if it is 0, then 
< is <. This shows that {v'{x)} < {v'{y)}. 

The other case when {v{x)} = {v{y)} can be shown exactly 
in the same manner ■ 

Lemma 26 (Reverse-adjustment) Let v,v' be valuations 
such that v' G rLu{v). Then there exists a valuation vi G 
nbd(i;) such that vi =4lu v'. 

Proof: The task is to pick a valuation vi that has the same 
integral parts as v and agrees to the ordering of fractional parts 
as in V. Similar to the proof of the adjustment lemma, it is 
enough to choose fractional parts for the clocks Xf that have: 

. [v'{x)\ = [v{x)\, 

. {v'{x)} > and {v{x)} > 0, 

• v{x) < max(C/^, L^). 

Again, as v' G rLu{v), we have the following property: 

Vxjj/ G Xf such that v{x) < Ux and v{y) < Ly (3) 
Mx)} < {v{y)} ^ {v'{x)} < {v'{y)} 
{v{x)} = My)} ^ Wix)} < Wiy)} 

Let OSi < < • • ■ < (5,1 < 1 be the fractional parts taken 
by clocks of Xf in v and let Xi be defined as follows: 

X, ^{xeXfl {vix)} = S,} 

for i G {1, . . . , n}. 

We will now select n values < cri < (T2 < • • • < cr„ < 1 
and set for all clocks Xi G Xi, the {vi{xi)} to be Si. We 
perform an induction involving n steps. 

After the fc*'' step of the induction we assume the following 
hypothesis: 

« we have picked values < (Tn-k+i < <^n-k+2 < ■ ■ ■ < 

CTn < 1, 

• for all clocks x G Xn-k+i U Xn-k+2 ■ ■ • U X„, the =4lu 
condition is satisfied, 

• for all clocks y G Xi U X2 • • • U Xn-k, we have 

v'{y) <Uy^ {v'{y)} < <Jn-k+i (4) 

Let us now perform the k + 1*'' step and show that the 
hypothesis is true for k + 1. The task is to pick (Jn-k- We first 
define two values < < 1 and < w' < 1 as follows: 



ai;]:^(i?) n Z is empty reduces to checking if the distance 
graph min(G'^, Gz) has a negative cycle. To get G|j, we took 
Gn and modified some edges to (<, cxo) and some edges of 
the form a; ^ to (<, —Lx). So note that the graph G|j need 
not necessarily be in canonical form. 

We will now state a necessary and sufficient condition 
for the graph min(GJj., Gz) to have a negative cycle. We 
denote by Zxy the weight of the edge x — y in the 
canonical distance graph representing Z. Similarly for R. 
When a variable x represents the special clock xq, we define 
Rqx to be (<, 0). Since by convention xq is always 0, this is 
consistent. 

Proposition 27 Let Gr, Gz be the canonical distance graphs 
for a region R and a zone Z respectively. Then, min(G^, Gz) 
has a negative cycle iff there exists a variable x G Br U Cr 
and a variable y G X such that one of the following conditions 
is true: 

1) either y e BrUUr and Zxy + Ryx < (<, 0), 

2) ory G CrUMr and Rqx + Zxy + {<, -Ly) < (<,0). 

The proof of Proposition |22] follows from Lemmas |29] 
and [30] below whose proofs in turn rely on an important 
observation made in Lemma |28] We say that a variable x 
is bounded in i? if a constraint x < c holds in R for some 
constant c. 

Lemma 28 Let x, y be bounded variables of R appearing in 
some negative cycle N of min(G|j, Gz)- Let the edge weights 
be X ^''^ y and y ^""^ x in Gr. If the value of the 
path a; 1/ in is strictly less than {<xy:Cxy), then 

X ^ 2/ — ^JLJlt^ X is a negative cycle. 

Proof: Let the path x ... y in N have weight 
(<,c). Now, since x and y are bounded variables in R, we 
can have either y — x = doTd— l<y — x<d for some 
integer d. 

In the first case, we have edges x y and y — — > x in 
Gr, that is {<xy,Cxy) = {<,d) and {<yx,Cyx) = {<,-d). 
Since by hypothesis (<, c) is strictly less than (<, d), we have 
either c < d or c = d and < is the strict inequality. Hence 
(<, c) + (<, -d) < (<, 0) showing that x . . . y ^''"''''"> 
cc is a negative cycle. 

In the second case, we have edges x y and y ^ '^^^> x 
in Gr, that is, {<xy,Cxy) = (<, d) and {<yx, Cyx) = (<, -d). 
Here c < d and again a; ^ . . . ^> — a; gives a negative 
cycle. ■ 



r - min{ {v'{z)} I z G X„_fc and < } Lemma 29 Suppose there exists a negative cycle in 

u ^ max{ {u'(z)} | z G X„_fe and v'{z) < C/^ } U cr„_fe+i niin(G^,Gz) containing no edges of the form x ^-S 0. 

It can be shown that u' < I'. The rest of the proof follows Then, there exist variables x G Br U Cr and y G BrU Ur 

in exactly the same Unes as that of the adjustment lemma. ■ ^^^^ ^'-"v + < 

We now have two distance graphs G^ Gz correspond- Proof: Let be a negative cycle of min(G^, Gz) 

ing to a.~^^^{R) and Z respectively. Therefore, checking if containing no edges of the form x ^~ ^> 0. Therefore the 
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value of every edge in N comes from either Gz or Gr. Since 
both these graphs are canonical, we can assume without loss 
of generality that no two consecutive edges in N come from 
the same graph. 

Suppose N has two edges xi — > X2 and yi — )• 1/2 with edge 
values coming from Gr. From the definition of G|j we get: 

xuVi^CrUMr (5) 

This condition implies that all the four variables are bounded. 

Hence there exist finite valued edges xi — > j/2 and 1/2 — ^ 
xi in Gr. 

Suppose (<,c) is lesser than or equal to the value of the 
path xi ^ . . . ^ y2 of N. Then, we could replace this path 
by the edge xi — > 7/2 to get a smaller negative cycle A^i. 
From condition Q and from the definition of GJj, we get that 
the edge xi — > 2/2 remains in G|j. and hence A^i is a negative 
cycle of mm{G*jf ,Gz)- 

Suppose (<, c) is greater than the value of the path xi 
■ ■ ■ ^ 1/2- Then, by Lemma |28l we get xi X2 ■ ■ - Hi ^ 

2/2 > xi to be a negative cycle. Since Gr is canonical, we 

can replace j/i — > j/2 ^ a^i 2^2 by the edge j/i ^ X2 to get 
a smaller negative cycle A'^2- Again from condition (|5]i, we get 
that yi —i' X2 remains in G|j and N2 is a negative cycle of 
min(GJj, Gz)- 

In both cases, we have eliminated two edges with value 
coming from Gr to get a smaller cycle with a single edge 
instead. Continuing this further, we would get a negative cycle 
containing only one edge coming from Gr. Moreover, we 
have seen that this edge would be retained in GJj too. Since 
G2 is canonical, there would be only one edge coming from 
Gz, which gives a negative cycle of the form x — ?> y — s> a; 
with X y coming from Gz and y — > a; coming from G^. 
From the definition of G|j, we see that x G Br U Cr and 

yeBRUUR. m 

Lemma 30 Suppose there exists a negative cycle in 

min (GJjjG^) containing an edge y ~ — ^ with y G 
Cr U Mr. Then, either there is a smaller negative cycle with 

no edge of the form y ^ — ^ 0, or there exists x G Br U Cr 
such that Ro^ + Z^y + (<, -Ly) < (<, 0). 

Proof: Let iV be a negative cycle in min(G^, Gz) that 

contains the edge y ^ — ^ with y G CR U^A r . If the vertex 
occurs once again in N, we could obtain a smaller negative 
cycle containing only one occurrence of 0. Hence without loss 
of of generality, we can assume that occurs only once in N, 

with the incoming edge y > 0. Consequently, every other 

edge value in N comes from either Gr or Gz and since both 
these graphs are canonical, without loss of generality, we can 
assume that no two consecutive edges come from the same 
graph in the path from to y. 

Consider the variable y with its predecessor: x y. 
Suppose the value {<,d) comes from Gr. We can first infer 



from the definition of G|j. that x ^ Cr U A4r. Now suppose 

we have the edge y ^"^ > in Gr. This means that c?' <' y 
in R and since y G Cr U J^r, we can see that d' > Ly. 
This gives {<,~Ly) > (<', — d') and hence we can replace 

X y ^ — ^ by the edge x ^ coming from Gr. As 
we have already seen that x ^ Cr U A4r, the edge a; 
from Gr remains in G|j. too. Replacing by the edge a: ^ 

gives a negative cycle without an edge of the form , ^ 0. 
Therefore, without loss of generality let us consider the value 
( < , d) to come from Gz • 

Consider an edge xi X2 that is part of N with edge value 
coming from Gr. Firstly, we can infer that a;2 ^ Ur^ U Mr. 

Now consider the edges a;2 and a;2 ^ > of Gr. If 
(<,c) is smaller than the value of the path ^ ... ^ a;2 
in N, we can replace the path by the edge ^> a;2 that we 
know remains in G^ since a;2 ^ Ur U J^r. Otherwise, from 

Lemma l28l we get a;i X2 > to be a negative 

cycle. This cycle does not contain the edge y > and 

it is indeed smaller than N since we have assumed the edge 
X —> y to come from Gz and so a:2 is not y. 

From the above paragraphs, we get that we can reduce N 

<-L,j 

either to a smaller negative cycle without y 5- edge or 

<-Ly 

to a negative cycle with y > that satisfies the following 

properties: 

• if the predecessor to y is x, the edge x ^ y should come 
from Gz, 

• the only edge coming from Gr is of the form — ?> x', 
with x' G Br U Cr. 

Hence, along with the fact that Gz is canonical, we get this 

negative cycle to be of the form ^ . ^ , ^ where 
the value of ^> a; comes from Gr and the value of x ^ y 
comes from Gz with x £ BrU Cr and y G Cr U Mr. ■ 

B. Efficient inclusion testing 

We will now present the remaining steps for constructing an 
efficient algorithm to check if Z C as}Lu{Z'). Recall that we 
are aiming at an OdXp) complexity. Proposition |27] can be 
used to efficiently determine if a region R % ^^i^u(Z'\ The 
task is to now find if there is a region that intersects Z and 
satisfies the condition given by Proposition [Tt] with respect to 
the zone Z' . 

For two variables a;, y, we require to find the minimum value 
of Ryx among the regions R intersecting a zone Z. To be able 
to use Proposition IZTl we additionally require the variables a;, y 
to be in appropriate sets Br, Cr^Ur or Mr, with respect to 
R. To achieve this, one needs to consider the relevant part of 
the zone that has regions with a; and y in appropriate sets. 
Once this value is obtained, we can plug this to the condition 
specified by Proposition |22] 

For ease of reading, we make use of the following notations 
in the rest of this section. 

Remark 31 (Notations) For a clock x and a valuation v, we 
denote v{x) by v^. 
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We begin with a few definitions. For a weight (<,c) we 
define — (<,c) as (<,— c). We now define a ceiling function 
[•] for weights. 

Definition 32 For a real c, let \c] denote the smallest integer 
that is greater than or equal to c. We define the ceiling function 
[(<,c)] for a weight (<,c) depending on whether < equals 
< or <, as follows: 



j ( < 1 c) if c is an integer 

I (<, [c] ) otherwise 

(<, c + 1) if c is an integer 
(<, [c]) otherwise 



The following lemma is the core for the proof of the main 
theorem. It gives the least value of Ryx from among the 
regions R that intersect Z. 

Lemma 33 Let Z he a non-empty zone and let x,y be 
variables. Then, from among the regions R that intersect Z, 
the least value of Ry^ is given by 



(<,oo) 



if Zm < (<, -ax) 



[max{ \-Zxy~\ , \-Zxo] - (<, ay)} otherwise 

Proof: Let G be the canonical distance graph representing 
the zone Z. We denote the weight of an edge i j in G hy 



(< 



Recall that this means = (<ij,Cij). 



We are interested in computing the smallest value of the 
X — y constraint defining a region belonging to Closurea{Z), 
that is, we need to find min{[u]j^2: | v G Z}. Call this /?. By 
definition of regions, we have for a valuation v. 

(<, oo) if Vx > ax 

\{<, Vx - Vy)'] if Vx < ax and Vy < ay (6) 
(<, Ivxl - ay) if Vx < ax and Vy > ay 

We now consider the first of the two cases from the 
statement of the lemma. Namely, Zxo < (<,— a^)- This 
means that 0—Vx<xoCxO and Cxo < —ax', moreover <xO is the 
strict inequality if Cxq = —ax- In consequence, all valuations 
w e Z, satisfy Vx > ax- Whence (3 — (<, cxo). 

We now consider the case when Zxq > (<, —ax)- Let G' 
be the graph in which the edge ^> a; has weight min{(< 
,ax),{<ox,CQx)} and the rest of the edges are the same as 
that of G- This graph G" represents the valuations of Z that 
have Vx < ax'- {G'j = {v ^ Z \ Vx < ax}- We show that 
this set is not empty. For this we check that G' does not have 
negative cycles. Since G does not have negative cycles, every 
negative cycle in G' should include the newly modified edge 
^ x. Note that the shortest path value from x to does not 
change due to this modified edge. So the only possible negative 
cycle in G" is — s> .t ^ 0. But then we are considering the 
case when Zxq > (<, —ax), and so Zxo + {<,ax) > (<,0). 
Hence this cycle cannot be negative either. In consequence all 
the cycles in G" are positive and |G"] is not empty. 



To find (3, it is sufficient to consider only the valuations in 
|G"]. As seen from Equation |6] among the valuations in |G'|, 
we need to differentiate between those with Vy < ay and the 
ones with Vy > ay- We proceed as follows. We first compute 
min{[u]y2: I V G [G'J and Vy < ay}- Call this f3i- Next, we 
compute min{[t!]ya; | v £ |G'] and Vy > ay} and set this as 
132- Our required value /3 would then equal min{/3i, (32}- 

To compute f3i, consider the following distance graph G'l 
which is obtained from G' by just changing the edge — y 
to min{{<, ay), {<oy,coy)} and keeping the remaining edges 
the same as in G'. The set of valuations {G'lj equals {v e 



IG'l 



< ay}- If [G'J = 0, we set to (<,oo) and 



proceed to calculate (32- If not, we see that from Equation |6] 
for every v e [G'l], [v]yx is given by \{<,Vx — Vy)']- Let 
(<i,u;i) be the shortest path from a; to y in the graph G[- 
Then, we have for all v G |Gy, Vy — Vx<iWi- If <i is <, then 
the least value of [v]yx would be (<, —wi) and if <i is <, 
one can see that the least value of [v]yx is (<, — lui + 1). This 
shows that (3i — \{<i, —wi)~\- It now remains to calculate 
(<i,u;i). 

Recall that G[ has the same edges as in G except possibly 
different edges ^> a; and ^ y. If the shortest path from x 
to y has changed in G'l, then clearly it should be due to one of 
the above two edges. However note that the edge — J> x cannot 
belong to the shortest path from x to y since it would contain 
a cycle x ...0— >a;— - . - y that can be removed to give 
shorter path. Therefore, only the edge ^ y can potentially 
yield a shorter path: a; — > . . . ^> ^ y. However, the shortest 
path from x to in G'l cannot change due to the added edges 
since that would form a cycle with and we know that all 
cycles in G'l are positive. Therefore the shortest path from x 
to is the direct edge a; — ?> 0, and the shortest path from a; to 
y is the minimum of the direct edge a; — > y and the path x 

y-We get: {<i,Wi) ^ VL\\TL{{<xy,Cxy), (<a;0,Ca;o) + (< 

,ay)} which equals mm{Zxy, Zxo + {<,ay)}- Finally, from 
the argument in the above two paragraphs, we get: 



f3i = < 



(<,oo) 

\-Zxy] 

\-Zxo] + (<, -ay) 



if [G'J - 
if |G'J ^ and 

<Zxo + {<,ay) (7) 
if IG'J 7^ and 

> Zxx) + {<,ay) 



We now proceed to compute (32 — Tiiv[i{[v\yx \ v G 
|G'] and Vy > ay}- Let G2 be the graph which is obtained 
from G' by modifying the edge y ^> to mm{Zyo, (<, —ay)} 
and keeping the rest of the edges the same as in G'. Clearly 
IGy = min{t; G [G'l | Vy > ay}- 

Again, if [Gy is empty, we set (32 to (<,oo). Otherwise, 
from Equation |6] for each valuation v G [Gy, the value of 
[v]yx is given by (<, \vx'] — ay)- For the minimum value, we 
need the least value of Vx from v G [Gy. Let {<2,W2) be 
the shortest path from a; to in G2. Then, since —Vx<2W2, 
the least value of \vx~\ would be —W2 if <2 and equal to 
[— u'2] if <2 =< and (32 would respectively be {<, —W2—ay) 
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or (<, —W2 + 1 — ctij). It now remains to calculate (<2, W2)- 
Recall that G2 is G with — ^ a; and y — ?> modified. The 
shortest path from x to cannot include the edge — ^ x since 
it would need to contain a cycle, for the same reasons as in the 
Pi case. So we get (<2,W2) = mm{ZxQ, Z^y + {<,-ay)}. 
If < Zxy + (<,-%), then we take (<2,W2) 

as ZxOt 



otherwise we take it to be Zxy + (<, 
the following: 



-ay). So, we get /32 as 



(<,oo) 

-Zxy + {<,!) 



\-Zxo] + (<, -ay) 



if |Gy = 
if icy ^ and 

ZxO ^ Zxy + (<; 

if icy ^ and 

ZxO < Z- 



-ay) 



xy ■ 



(8) 

However, we would like to write (32 in terms of the cases used 
for /3i in Equation [T] so that we can write /?, which equals 
min{/?i, /32}, conveniently. 

Let ipi be the inequation: Zxy < Zxo + {<,ay). From 
Equation |7] note that /3i has been classified according to i/'i 
and -^t/ji when |Gy is not empty. Similarly, let ■02 be the 
inequation: Zxo > -^ajy + (<, ^ay). From Equation [8] we see 
that (32 has been classified in terms of 1(12 and -^ip2 when 
|Gy is not empty. Notice the subtle difference between ■0i 
and tp2 in the weight component involving ay: in the former 
the inequality associated with ay is < and in the latter it is <. 
This necessitates a bit more of analysis before we can write 
(32 in terms of tpi and ^Vi- 

Suppose is true. So we have {<xy,Cxy) < {<xO,CxO + 



This implies: Cxy < Cxo + ay. Therefore, Cxo > c 



xy 



When Cxo > Cxy — ay, V'2 is clearly true. For the case when 
CxO = Cxy — ay, note that in ■i('2 the right hand side is always 
ay), irrespective of the inequality in 



of the form {<,Cxy — 1 
Zxy and so yet again, -02 is true. We have thus shown that ■01 
implies -02 • 

Suppose is true. We have {<xy, Cxy) > {<xO, Cxo+ay). 



If Cxy > CxO + ay, then clearly Cxo < Cx 



implying that 



^^/;2 holds. If Cxy — CxO + ay, then we need to have <xy 
and <xo =<■ Although ^02 does not hold now, we can safely 
take (32 to be \—Zxo'\ + (<, ^ay) as its value is in fact equal 
to —Zxy + (<,!) in this case. Summarizing the above two 
paragraphs, we can rewrite (32 as follows: 



(<,oo) 

-Zxy + {<,!) 



if [cy = 

if [Gy / and 



<Zxo + {<,ay) (9) 



\-Zxo] + (<, -ay) if icy ^ and 

^yx > ZxX) + (<,%) 

We are now in a position to determine (3 as min{/3i, /32}. 
Recall that we are in the case where Zxo < (<,— Oa;) 
and we have established that |G"] is non-empty. Now since 
|G"] = |G"J U |Gy by construction, both of them cannot be 



simultaneously empty. Hence from Equations [T] and |9l we get 

(3, the min{/3i,/32} as: 



\-Zx 



if Zyx < ZxO + {<,Cly) 



f-^i^ol + (<, -ay) if Zj^j; > ZxO + (<, %) 



There remains one last reasoning. To prove the lemma, we 
need to show that (3 — max{\—Zxy~\, \—Zxo^ + {<,—ay)}- 
For this it is enough to show the following two implications: 



Zxy < ZxO + (<, ay) \-Zxy~\ > \-Zxo} + (<, -ay) 

Zxy > ZxO + (<,"a) => \-Zxy'\ < \-Zxo} + (<, 

We prove only the first implication. The second follows in a 
similar fashion. Let us consider the notation {<xyTCxy) and 
{<xO,Cxo) for Zxy and Zxo respectively. So we have: 



{<xy,Cxy) < {<xO,Cxo) + 
=^ {<xy,Cxy) < {<xO,CxO + ay) 

If the constant Cxy < Cxo+ay, then —Cxy > —Cxo — ay and we 
clearly get that \—Zxy~\ > [—Zj^g] +(<, —Qiy). If the constant 
Cxy = CxO + ay and if <xO then the required inequation 
is trivially true; if <xO —<^ it implies that <xy —< too and 
clearly \{<,-Cxy)'] equals \{<,-Cxo)'] +{<,-ay). 

■ 

We get the following theorem that can be directly trans- 
formed into an algorithm. 



Theorem 34 Let Z, Z' be non-empty zones. Then, Z ^ 
a^Lu{Z') ijf there exist two variables x,y such that: 

ZxO > (<, -Ux) and Z'^y < Zxy and Z'^y < {<,Ly) + Zxo 

Proof: Let Gz and Gz' be the canonical distance graphs 
representing the zones Z and Z' respectively. Recall that we 

<i c 

denote by Zxy the weight of the edge x — y in the 
canonical distance graph representing Z. 

From Proposition [17] Lemma |20l Lemma |23] and Proposi- 
tion |27] we get that Z % a.^i^u{Z') iff there exists a region 
R intersecting Z that satisfies one of the following conditions 
for variables x G Br U and y ^ X: 

yeBaU Ur and Z'„^ + Ryx < (<, 0), or (11) 
yeCRU Mr and Rox + Z'^y + (<, -Ly) < (<, 0) 

Before proceeding further, we will give some notations for 
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convenience. 



get: 



CO EE Zm > (<, -U.) and Z'^y < Z,y and 

Z'xy + (<, -Ly) < ZxO 

CI = there exist R,x,y s.t. R intersects Z, 

X E Br U Cr, y E Br U Ur and 

Z'.y + Ry. < (<,0) 

C2 = there exist i?, x, y s.t. i? intersects Z, 

X E BrU Cr, y E CrU Mr. and 
Ro. + Z'^y + i<,~Ly) < (<,0) 

Note that from (fTTT ). to prove the theorem, it is sufficient to 
show: 

CO ^ C1VC2 (12) 

We will now prove ( fT2] l in the following four steps: 

Step 1 Characterizing condition CI in terms of Z and Z' 
Step 2 Characterizing condition C2 in terms of Z and Z' 
Step 3 Using steps 1 and 2, showing that CI V C2 CO 
Step 4 Using steps 1 and 2, showing that CO ^ CI V C2 

a) Step 1: Characterizing Condition CI: To see if CI 
is true, we need the minimum value of Ry^ from among 
the regions R intersecting Z and satisfying R^y < Ly and 
Rox Ux- The sum of this minimum value of Ry^ and Z'^y 
is less than (<, 0) iff CI is true. Therefore, we first restrict our 
attention to the part of Z that gives regions with Roy < Ly 
and Rqx < Ux- 

Let Gi be the graph obtained from Gz by modifying the 
edge — > X to mm{Zox, (<, Ux)) and ^ y to min(Zoj,, (< 
,Ly)). Every valuation v E |Gi] has < Ux and Vy < 
Ly and hence gives rise to a region of our required form. 
Conversely, every valuation v E Z that is part of a region of 
the required form has < U^, Vy < Ly and hence satisfies 
the constraints of Gi, that is belongs to |Gi]. We know that 
Z is non-empty. Therefore, |Gi] will be non-empty if the two 
modified edges do not introduce negative cycles: 

[Gi] ^ Zxo> (<, -Ux) and Zyo > (<, -Ly) (13) 

Let us assume that |Gi] is non-empty. We will now use 
Lemma |33] to get the least value of Ry X among the regions R 
that intersect |Gi]. There are two cases given by Lemma |33] 
We first need the shortest path from a; to in Gi to find the 
correct case. It is given by Zxo itself since the newly modified 
edges cannot influence it. Therefore |Gi]^q is exactly Zxo 
and since |Gi] is non-empty, from Equation JTSl l, Z^o > 
{<,—Ux) and in particular this implies Zxo > (<,— ax). 
So we need to consider the second case of the equation 
given in Lemma |33] The shortest path from a; to y in Gi 
is given by mm{Zxy, Zxo + {<,Ly)). From Lemma [33] the 
minimum value of Ryx is given by max( {—Zxyl , \~Zxo]+{< 
,-Ly),\-ZxQ'] +(<,-%)). Since (<,%) < {<,Ly), we 
can safely discard the last component. Substituting in CI, we 



Z'^y +miix{\~Zxy],\-Zxo] + i<,-Ly)) < (<,0) 
^ Z'^y+\-Zxy] < (<,0) and 

Z'xy+\-ZxO^+i<,-Ly)<i<,0) 
^ Z'xy < Zxy and 

Z'xy + (<, -Ly) < Zxo (14) 

The condition CI is then equivalent to saying that |Gi] 
is non-empty and Equation ( fT4] l is true. Therefore, from 
Equations ( fT3] l and ( fT3] l, we get the characterization for CI in 
terms of Z and Z': 

CI is true ^ Zxo > (<, -Ux) and 
Zyo > (<, -Ly) and 
Z'xy < Zxy and 

Z'xy + (<, -Ly) < Zxo (15) 

b) Step 2: Characterizing Condition C2: Let us follow 
a similar procedure to now see when C2 is true. Let G2 be 
the graph obtained from Gz by modifying the edge — ?> a; 
to mm{ZQx, {<,Ux)) and the edge j/ — >■ to min(Z,yo, (< 
, —Ly)). The set IG2I represents the set of valuations v E Z 
that have Vx < Ux and Vy > Ly. As Z is non-empty, for 
IG2I to be non-empty, the newly modified edges should not 
introduce a negative cycle: 

[G2] ^ Zxo> (<, -Ux) and (16) 
Zoy + {<,-Ly) > (<,0) and 

{<,Ux)+Zxy + {<,-Ly) > (<,0) 

Let us assume that IG2I is non-empty. We will again use 
Lemma [33] (and let = 0) to get the least value of Rqx from 
among the regions R that intersect G2. To do this, we first 
need the value of |G2|j.q, which is the shortest path from x 
to in G2. This shortest path from a; to in G2 is given by 
min(Zxo, Zxy + (<, —Ly)). Call it 5. 

As we have assumed that IG2] is non-empty, from Equation 
([Tel l, we get both Zxq > (<, -Ux) and Zxy + (<, -Ly) > 
{<,—Ux) and hence in particular greater than or equal to (< 
,—ax). Therefore S > (<, — a^) and from Lemma [33] our 
required least value of Rox from regions intersecting G2 is 
given by \-S], which is max{\-Zxo^, \-Zxy + (<, -Ly)']). 
Substituting in C2 and setting Zxy = {<xy,Cxy), we get: 

max([-Zxo], \-Zxy + (<, -Ly)'\) 

+ Z',y + {<,-Ly) < (<,0) 
^ \-Zxo^+Z'^y + i<,-Ly) <{<,0) md 

\-Zxy + (<, -Ly)-] + Z',y + (<, -Ly) < (<, 0) 
^ Z'xy + (<. -Ly) < Zxo and 

Z'xy<{<,Cxy-l) (17) 

The condition C2 is then equivalent to saying that IG2] 
is non-empty and Equation dTTI i is true. Therefore, from 
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Equations ( fT6] l and ( fTTI i. we get the characterization of C2 
in terms of Z and Z'\ 

C2 is ti-ue ^ Z^a > (<, -t/a^) and 

Zoy + {<,-Ly) > (<,0) and 

(<, [/,) + + (<, -Ly) > (<, 0) and 

+ (<, -Ly) < Zxo and 
Z',y<{<,c,y-1) (18) 

cj 5fe;? i; Showing that Cl\/C2 ^ CO: Recall condition 
CO given in the notations stated in the beginning of this proof. 
Suppose CI is true. From Equation ( fTSI ). we know that 

Zm > (<, -U^) and Z'„j < Z„j and Z'^y + {<, ^Ly) < Z,o. 
But as (<,-Ly) < {<,-Ly), we also get that Z'^y + (< 
, —Ly) < Zxo- Whence CO is true. 

Suppose C2 is true. From Equation (fTsT l. we have that 
Z,o > (<,-C/x) and Z'^y + {<,-Ly) < (<,0) and Z'^y < 
{<,Cxy — 1). Since Z'^y < {<,Cxy — 1), we would have 
Z!j.y < Zxy Whence C2 is true. 

d) Step 4: Showing that CO ^ CI VC2: This is the final 
step in the proof of the theorem and is more involved than the 
previous implication. Let us suppose that CO is true. We will 
consider two cases in this step depending on the value of Zyo. 

Case L Assume that Zy^ < {<,—Ly). From (fTSl l, CI 
cannot be true. To know if C2 is true the conditions given by 
from ( fTSl l should be true. As we have assumed CO is true, we 
directly have Z^ > (<, -U.^) and Z'^y + (<, -Ly) > (<,0). 
Also, from our assumption we have Zyo < (<, —Ly), that is, 
Zyo < {<,—Ly). As Z is a non-empty zone, we will have 
Zoy + ZyQ > (<,0) and from our previous observation, we 
will get Zoy + (<, > (<.0)- Come back to Equation (fTsTl 
again. We have shown the first, second and the fourth inequal- 
ity given in the right hand side of this equation. It remains to 
show the third and the fifth. 

Let us first show the third: (<, Ux) + Z^y + (<, —Ly) > 
(^jO). From the definition of canonicity, we know that 
Zxy + Zyo > Zxo, from which we can derive the following 
implications: 

Zxy'^ZyQ > ZxO 

^ Zxy + (<, -Ly) > (<, -Ux) as Zyo < (<, -Ly) 

and ZxQ > (<, -Ux) 

^ {<,Ux)+Zxy + {<,-Ly) > (<,0) 

This has shown the inequality in the third line of Equation ( fTsl l. 

For the fifth inequality, we will use the knowledge that 
Z'xy + (<' ^^a) < ZxO given by CO, and derive the following 
implications: 

Z'xy + (<i —Ly) < ZxO 

^ Z'xy + (<J ~Ly) < Zxy + ZyO 

(as ZxO < Zxy + ZyO by canonicity) 

^ Z'xy + {<, -Ly) < Zxy + (<, -Ly) 

(as ZyO < {<,—Ly) by assumption) 

^ i<:C'xy- Ly) < {<,Cxy - Ly) 



(setting Z'^y = i<'xy,Cxy)) 

^ ^xy ^ ^xy 

^ Cxy ^ '^xy — 1 

Z'xy<{<,Cxy-l) 

This gives us the fifth inequality of the right hand side of 
Equation (fTsT l. Hence we have shown that when we have 
ZyO < (<, -Ly), CO ^ CI V C2. 

Case 2: Now, assume that Zyo > (<, —Ly). We already 
have CO to be true which gives the first and third inequality 
in the right hand side of Equation ( fTSl l. Note that CO says 
Z'xy + {<i—Ly) < ZxO- There is a difference in the sign 
of the inequality associated to —Ly in the inequalities given 
by CO and the one required for CI. If additionally, we have 
Z'xy + (<, -Ly) < ZxO, then CI would be true. 

Let us now see what happens when Zxy + {<, —Ly) > Zxo- 
Set ZxO = {<xQ,Cxo- We can have Zxo + {le,-Ly) > Zxo 
and ZxO + (<, -Ly) < Zxo only if: 

4y ~ Ly ^ Cxo and <'^y = <xa =< (19) 

We will now show that CO along with Zyo > (<, —Ly) and 
(fT9] l will make C2 true. For this, we need to show the second, 
third and fifth inequalities given on the right hand side of 
Equation ( fTSl l. 

Once again, from canonicity, we have Zxy < Zxo + Zoy. 
But Z'^y < Zxy according to CO. Whence Z'^y < Zxo + Zoy. 
Using (|19] | in addition, we get: 

i<,CxO + Ly) < {<,Cx0)+Z0y 

{<,Ly) < Zoy 

Z0y + {<,-Ly) > (<,0) 

This gives the second inequality in the right hand side of 
Equation ( fTsl l. 

From CO, we know that Z'^y < Zxy and from Equation dlSl l. 
we know that <'^y —<. Therefore the constant Cxy in Zxy 
should be greater than c'^y by atleast 1 unit: Cxy > c'^y + 1. 
This directly shows that Z' < {<,Cxy), the fifth inequation 
in the right hand side of ( fTST l. 

We have now come to the very last piece of argument 
required for the proof. We are left with showing the third 
inequality of (dS): (<, Ux) + Zxy + (<, -Ly) > (<, 0). From 
(fT9] l, we have c'^y — Ly — Cxo and <xO Coupling with 
ZxO > {<,-Ux) given by CO, we get that c'^y - Ly > -Ux- 
And from the previous paragraph we know that c'^y < Cxy — 1. 
This gives Cxy — 1 — Ly > —Ux- Whence (<, Ux) + Zxy + (< 

.Ly) > (<,0). 

Thus we have proved that even when Zyo > {<,—Ly), we 
have CO ^ CI V C2. ■ 

VI. Conclusions 

We have shown how one can use non-convex abstractions 
while still working with zones. This works as soon as the 
abstraction satisfies the transition compatibility condition. For 
the construction to be efficient though, one needs an efficient 
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inclusion test. We have given such a test for a^^u abstrac- 
tion. In ifTTl we have shown an efficient inclusion test for 
Closure^u abstraction. The test presented here is conceptually 
more difficult to obtain. In the case of Closure^jj we were 
looking which regions intersect a closure of a zone. For this 
it has been of course enough to look at the zone itself. Since 
a^iu abstraction is not defined as a closure of a zone, the 
task here has been substantially more complicated. It is even 
surprising that the inclusion test with respect to such a big 
abstraction can be done by simply looking at projections on 
two variables. 

The result showing that a^^u abstraction is the biggest 
possible is quite unexpected. It works thanks to the obser- 
vation that when doing forward exploration it is enough to 
consider only time-elapsed zones. This result explains why 
after Extra^jj from jS) there have been no new abstraction 
operators |6|. Indeed it is not that easy to find a better zone 
inside a^i^u abstraction than that given by Extra^jj abstrac- 
tion. The inclusion test for a^^u turns out to be even simpler 
than for Closure^^, the latter in turn subsumes Extra[jj test. 
Hence by all criteria it is preferable to use a^^u to the other 
two. 

The maximality result for a^^u shows that to improve 
reachability testing even further we will need to look at new 
structural properties of timed automata, or to consider more 
refined algorithms than forward exploration. 
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